Spring Brings Tax-related Scams, Spams, Phish, Malware, and the IRS

Spring is here and that means scam artists are thinking about income taxes and the IRS. Not that scam artists pay income taxes, they just know taxes and any mention of the IRS is a good way to get your attention, which explains a steady stream of deceptive emails targeting tax-paying Americans who now have 22 days to go before their income tax returns are due (April 17 is the filing deadline this year). One measure of tax-related online scam activity is the Security Alerts page at Intuit, the company that sells the TurboTax line of products for filing taxes as well as the popular small business accounting software called Quickbooks. Here's a sample:

Intuit Security AlertsIntuit gets high marks for informing customers about these email scams, many of which try to infect your system with malware via a link to a bogus invoice. The guidance offered by Intuit is simple but bears repeating:

  • Do not click on the link in the email.
  • Send a copy of the email to spoof@intuit.com.
  • Do not forward the email to anyone else.
  • Delete the email.

And, because they have several years' worth of alerts online, you can see the annual uptick in scam activity as tax season arrives. The Internal Revenue Service itself has several web pages devoted to debunking bogus tax-related emails. I think the IRS deserves considerable credit for trying to educate the public about this problem.

Bogus IRS Penalty Emails

I checked the page that IRS maintains about Phishing and Other Schemes Using the IRS Name and sure enough there is a new entry for 2012, a warning about an email that is likely to scare a lot of people into reading the message. The subject line says: "Penalty for not filing tax return on time". How many people are confident enough about their knowledge of the tax code or their accounting skills or accountant to resist taking a look at a message like that?

Fortunately, the message contains some big clues that it does not actually come from the IRS despite the presence of the IRS logo. Whatever you think of the IRS–and personally I have always found the agency to be very fair–it is unlikely to have penned this piece of mangled English: "We would like to notify you, that you are encouraged to pay a penalty because you did not file income tax return before January 31, 2012."

Fake IRS emailI particularly like this turn of phrase, used for the link or call-to-action as a Marketing professor might call it: "Get inside our official site to obtain more information."

If you are worried about your taxes you might be tempted to click the link, but hopefully, you know by now that you should not click the link. It will not get you inside the IRS site. Instead it will try to take you to a website that tries to persuade you to give up personal information. Just to make the point clear, in well-written IRS English: The IRS does not initiate contact with taxpayers by email or any social media tools to request personal or financial information.

Your CPA is a Phishing Target Too

The fact that the IRS has been proactive in educating the public about scams abusing its name may explain why we are seeing a variety of alternative accounting-related scams aggressively promoted at this time of year. One example is the AICPA license revocation scam.

AICPA Tax Refund Fraud RevocationWho or what is the AICPA? It is the American Institute of Certified Public Accountants or CPAs. Of course, CPAs are usually very busy this time of year filing tax returns for clients. So, if you are a CPA you are probably going to pay attention when you see an email with the subject: "Revocation of CPA license, Termination of CPA membership, Tax refund fraud complaint".

You might even be tempted to open the complaint which appears to be attached to the email as a PDF file. However, that Complaint.pdf link actually takes you to a compromised website which redirects to malicious sites hosting a Blackhole exploit kit.

The very clever site at Dynamoo points out that the IP addresses of the malicious servers spamming people with these messages are the same for other spam campaigns, namely the BBB and the NACHA ones (the NACHA campaign dates back to 2009).

Last year M86Security and ESET reported that this spam is sent using the Cutwail botnet and ESET described how this botnet uses the Blackhole exploit kit to install SpyEye. (SpyEye allows the botmaster to steal personal data and credentials from your computer and use the device for a variety of illegal purposes.) Apparently the Cutwail botnet is still operational on about 1.5 million machines and, according to Sébastien Duquette, one of ESET's researchers in Canada, this particular spam may also attempt to install other malware such as Zeus, password stealers, Cridex, Festi, and more.

What this AICPA campaign apparently does not do is limit itself to CPAs. In other words, it does not seem to be targeted using a list of CPAs. In other words, anyone may get this email, but of course everyone should delete it, along with all other unsolicited, grammatically-incorrect, tax-related emails you may get this time of year.

Doing your taxes is chore enough without the added pain of removing malicious software from your computer. Of course, one way to help ensure you have a good tax filing season–and get more out of springtime–is to use reputable and regularly updated anti-virus software alongside reputable and regularly updated tax software.

Want to Take Action?

If you receive an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), you can report it by sending it to phishing@irs.gov.

Author Stephen Cobb, ESET

  • David Harley

    @Ulrich, I'm afraid we can't help with licensing queries through the blog: that's a completely different team (in fact, several different teams). You need to use the contact page for your region at http://www.eset.com/about/contact/.

Follow us

Copyright © 2017 ESET, All Rights Reserved.